CNCF Mechanizer

[maysunfaisal]

/kind user-story

Which area this user story is related to?

/area api
/area library
/area registry
/area alizer
/area devworkspace
/area landing-page

User Story

The Mechanizer Badge

Requirements - #1283

To satisfy this requirement, we need to have an automated mechanism to publish our SBOMs upon every release. The problem is, our release process is on demand and because it's infrequent, we've been content with just running our scripts manually.

The webinar mentioned goreleaser which automates the release process and can generate sboms. This looks interesting and it is something we should look into since there is the potential it can be adopted by our other repos. We can refer to this example, which uses goreleaser.

TODO

• Investigate goreleaser as a replacement for our manual release process
• adopt goreleaser if it's a viable option

I've considered other alternatives like using one of the recommended sbom generator tools to generate and upload an artifact in our CI workflow but this is not tied to our release process. We may need to manually download the artifact and drop it whenever we cut a release so I don't think it will satisfy the badge requirements.

Estimated Time: ~3-4 weeks (assuming everything is straightforward with the investigation)

Edit: I just thought of another approach. We can consider keeping the existing release process and just integrate the sbom generation. Since we are using hub cli to create the release, we need to figure out if there's a command to upload the generated artifact. This could cut down the time to 1-2 weeks.

Triaged at #1292 (comment)

Repo Checklist

• devfile/api
• devfile/library

[thepetk]

Putting this item back to refinement as there was some progress in the parent EPIC issue.

[github-actions]

This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.